Back at Work at Last
From the lack of updates you can probably guess that I didn't accomplish much this summer. Life got in the way as I had too much else to do. But now the fall semester has started, I'm officially registered for just 3 credits for my Masters project class, meaning I'll be doing another 3 in the spring and graduating in May instead of December, and I'm back at work on the project. I finally started sprint 1 on September 1.
So far I've primarily been researching for the "restrict access to the HSQLDB" and "change the way passwords are stored and transmitted" backlog items. After vast amounts of googling I've discovered how to do these things and for the second decided on which methods are needed. I'll be using SSL for just when the user logs in and the bCrypt algorithm as implemented in jBCrypt to hash passwords before storing them. Other than passwords there really isn't any sensitive info in the app; if people didn't reuse passwords they wouldn't even be sensitive, but people do, so...
I chose bCrypt over scrypt and PBKDF2 primarily as a result of this discussion. bCrypt is better than PBKDF2 by some amount, but doesn't take up huge amounts of memory when it's running unlike scrypt. Since the app will run on my prof's box, and I have no idea what else he's going to be doing with it, I figure better safe than sorry.
Using bCrypt does mean I'll need to write a custom tomcat Realm to handle security because tomcat only does SHA, MD2 and MD5 by default. Unfortunately many of the tutorials on that topic are out of date at this point (things seem to have changed quite a bit at some point before version 7 of tomcat) so I'm not 100% sure how this is going to work yet. Everything else seems pretty straightforward so hopefully experimenting and fiddling with Realms won't put me too far behind.
I'm hoping to get these two items finished tomorrow now that I know how to do them. The rest... We'll see how much time I'll actually have over the next week and a half. Wish me luck!
So far I've primarily been researching for the "restrict access to the HSQLDB" and "change the way passwords are stored and transmitted" backlog items. After vast amounts of googling I've discovered how to do these things and for the second decided on which methods are needed. I'll be using SSL for just when the user logs in and the bCrypt algorithm as implemented in jBCrypt to hash passwords before storing them. Other than passwords there really isn't any sensitive info in the app; if people didn't reuse passwords they wouldn't even be sensitive, but people do, so...
I chose bCrypt over scrypt and PBKDF2 primarily as a result of this discussion. bCrypt is better than PBKDF2 by some amount, but doesn't take up huge amounts of memory when it's running unlike scrypt. Since the app will run on my prof's box, and I have no idea what else he's going to be doing with it, I figure better safe than sorry.
Using bCrypt does mean I'll need to write a custom tomcat Realm to handle security because tomcat only does SHA, MD2 and MD5 by default. Unfortunately many of the tutorials on that topic are out of date at this point (things seem to have changed quite a bit at some point before version 7 of tomcat) so I'm not 100% sure how this is going to work yet. Everything else seems pretty straightforward so hopefully experimenting and fiddling with Realms won't put me too far behind.
I'm hoping to get these two items finished tomorrow now that I know how to do them. The rest... We'll see how much time I'll actually have over the next week and a half. Wish me luck!
Comments
Post a Comment